21CSE281T

Cryptography and Network

Security

1
 UNIT I
Unit-1 - Introduction to Security and Number Theory
Basics of Security – CIA Triad – Threats, Attacks and Services
– Classical Cryptography –symmetric and asymmetric cipher-
Substitution – Transposition – Cryptanalysis. Tutorial 1:
Substitution techniques.
Number Theory: Groups, Rings, Fields- Modular Arithmetic –
Euclidean Theorem – Extended Euclidean Theorem – Galois
Field – Tutorial 2: Implement Euclid and extended.
Prime Numbers – Fermat’s Theorem – Euler’s totient function
– Euler's Theorem – Chinese Remainder theorem –Primitive
Roots-Discrete Logarithms-Elliptic curve arithmetic -Tutorial
3: Implement Chinese Remainder Theorem

2
 Basics of Security

• CIA Triad
• Attacks, services and mechanisms
• Types of attacks
• Security services

3
 Definitions
 Computer Security - generic name for the
collection of tools designed to protect data and to
thwart hackers
 Network Security - measures to protect data
during their transmission
 Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks
 CIA Triad

• The CIA Triad is a fundamental concept in

information security, standing for
Confidentiality, Integrity, and Availability.

5
Goals of Security

Confidentiality

Integrity Availability

6
Confidentiality

7
Integrity

8
Availability

9
 Attacks, Services and Mechanism

• Security Attack: Any action that compromises the

security of information.
• Security Mechanism: A mechanism that is
designed to detect, prevent, or recover from a security
attack.
• Security Service: A service that enhances the
security of data processing systems and information
transfers of an organization.

10
Types of Attacks

•Passive Threats:
 Release of Message
Contents
Traffic Analysis

•Active Threats:
 Masquerade
Replay
Modification of Mess.
Contents
Denial of Service

11
 Passive attacks
 Attempts to learn or make use of information
 Interception
 Release of message contents is easily understood.
Eg. Telephone conversation
 Traffic analysis

Cryptography and Network Security 12

 Active attacks
Attempts to involve some modification of the data
stream. Interruption, modification, fabrication
 Masquerade-one entity pretends to be a different
entity. Eg. Seq. captured and replayed
 Replay- involves the passive capture of data unit
and its subsequent retransmission to produce
unauthorized effect.
 Modification-some portion of the message
altered, delayed or recorded.
 Denial of service-prevents normal use. Eg. An
Entity may suppress all messages.

13
Types of Attack

14
Normal Flow

Cryptography and Network Security 15

 Interruption

This happens when an asset is destroyed or

becomes unavailable or cannot be used.
This is an attack on the availability of the
system.
Examples are destruction of a piece of
hardware, the cutting of cable and disabling
of a file management system.

16
 Interruption

Cut wire lines,

Jam wireless
signals,
Drop packets,

Cryptography and Network Security 17

 Interception

 Interception occurs when any unauthorized unit

gains access to an asset.
 This attack means that there is no privacy therefore
it is an attack on confidentiality.
 The unauthorized unit or party could be an
individual, a program or even another computer.
 This is an attack on confidentiality
 Examples can be seen in wiretapping to capture data
into a network and coping of files which is not
permitted.

18
 Interception

Wiring,
eavesdrop

Cryptography and Network Security 19

 Modification
 If an unauthorized party gains access to a system and
make some changes to it, then this tampering is known as
Modification.
 This medication is an attack on the integrity of the
system or the organisation.
 This is an attack on integrity.
 Examples
1. Changing of values in a file
2. Altering a program so that it performs
differently and changing the contents of
messages that are sent over the network.

20
 Modification

Replaced
intercept
info

Cryptography and Network Security 21

 Fabrication
 If an unauthorized party gains access to the system
and inserts false objects into it, this is fabrication
and it degrades the authenticity of the system.
 This is an attack on Authenticity.
 Examples of such an attack include a hacker
gaining access to a person’s email and sending
messages. This makes the recipients believe that it
is indeed the person sending the message when it is
in fact not so OR it could be addition of records to a
file.

22
 Fabrication

Also called impersonation

Cryptography and Network Security 23

 Security Services

 Confidentiality (privacy)
 Authentication (who created or sent the data)
 Integrity (has not been altered)
 Non-repudiation (the order is final)
 Access control (prevent misuse of resources)
 Availability (permanence, non-erasure)
 Denial of Service Attacks
 Virus that deletes files

24
 Security Services
Confidentiality, also known as secrecy
Only an authorized recipient should be able to extract the
contents of the message from its encrypted form.
Authentication
The recipient should be able to identify the sender, and
verify that the purported sender actually did send the
message.
Integrity
The recipient should be able to determine if the message
has been altered (no duplication, insertion, modification,
reordering, or replays) during transmission.
25
 Security Services
Non-repudiation
It prevents either sender or receiver from denying a
transmitted message.
Access control
Access control is the ability to limit and control the access
to host systems and applications via communication links.
Availability
A variety of attacks can result in the loss of or reduction in
availability. It requires some sort of physical action to
prevent or recover from loss of availability.

26
 Classical Cryptography

• Symmetric and Asymmetric Ciphers

• Substitution Techniques
- Caesar Cipher
- Monoalphabetic Cipher
• Transposition Techniques
• Cryptanalysis: Techniques to Break Ciphers
 Basic terminology

• Plaintext: original message to be encrypted

• Ciphertext: the encrypted message
• Enciphering or encryption: the process of
converting plaintext into ciphertext
• Encryption algorithm: performs encryption
– Two inputs: a plaintext and a secret key

28
Symmetric Cipher Model

29
• Deciphering or decryption: recovering
plaintext from ciphertext
• Decryption algorithm: performs decryption
– Two inputs: ciphertext and secret key

• Secret key: same key used for encryption and

decryption
– Also referred to as a symmetric key

30
• Cipher or cryptographic system : a scheme for
encryption and decryption
• Cryptography: science of studying ciphers
• Cryptanalysis: science of studying attacks
against cryptographic systems
• Cryptology: cryptography + cryptanalysis

31
 Ciphers

• Symmetric cipher: same key used for encryption

and decryption
– Block cipher: encrypts a block of plaintext at a time
(typically 64 or 128 bits)
– Stream cipher: encrypts data one bit or one byte at a
time
• Asymmetric cipher: different keys used for
encryption and decryption

32
 Symmetric Encryption

• Also called conventional / secret-key / single-key

• Sender and recipient share a common key
• All classical encryption algorithms are symmetric
• The only type of ciphers prior to the invention of
asymmetric-key ciphers in 1970’s
• by far most widely used

33
 Symmetric Encryption

Mathematically:
Y = EK(X) or Y = E(K, X)
X = DK(Y) or X = D(K, Y)

Where,
X = plaintext
Y = ciphertext
K = secret key
E = encryption algorithm
D = decryption algorithm
Both E and D are known to public

34
 Cryptanalysis

• Objective: to recover the plaintext of a

ciphertext or, more typically, to recover the
secret key.
• Kerkhoff’s principle: the adversary knows all
details about a cryptosystem except the secret
key.
• Two general approaches:
– brute-force attack
– non-brute-force attack (cryptanalytic attack)

35
 Brute-Force Attack

• Try every key to decipher the ciphertext.

• On average, need to try half of all possible keys
• Time needed proportional to size of key space
Key Size (bits) Number of Alternative Time required at 1 Time required at 106
Keys decryption/µs decryptions/µs
32 232 = 4.3  109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2  1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4  1038 2127 µs = 5.4  1024 years 5.4  1018 years

168 2168 = 3.7  1050 2167 µs = 5.9  1036 years 5.9  1030 years

26 characters 26! = 4  1026 2  1026 µs = 6.4  1012 years 6.4  106 years
(permutation)
36
 Classical Ciphers

• Plaintext is viewed as a sequence of elements

(e.g., bits or characters)
• Substitution cipher: replacing each element of the
plaintext with another element.
• Transposition (or permutation) cipher:
rearranging the order of the elements of the
plaintext.
• Product cipher: using multiple stages of
substitutions and transpositions
37
 Tutorial 1: Substitution Techniques

• Implement Caesar Cipher

• Implement Monoalphabetic Cipher
• Analyze Ciphertext with Frequency
Analysis
 Caesar Cipher
• Earliest known substitution cipher
• Invented by Julius Caesar
• Each letter is replaced by the letter three positions further down the
alphabet.
Example:
Plain Text: I CAME I SAW I CONGUERED
Cipher Text: L FDPH L VDZ L FRQTXHUHG
The mapping is (Key Value=3)
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
1 2 3 4 5 6 7 8 9

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

39
 Caesar Cipher

• Mathematically, map letters to numbers:

a, b, c, ..., x, y, z
0, 1, 2, ..., 23, 24, 25
• Then the general Caesar cipher is:
c = EK(p) = (p + k) mod 26
p = DK(c) = (c – k) mod 26
• Can be generalized with any alphabet.
40
 Cryptanalysis of Caesar Cipher

• Key space: {0, 1, ..., 25}

• Vulnerable to brute-force attacks.
• E.g., break ciphertext "UNOU YZGZK“
• Need to recognize it when have the
plaintext
• What if the plaintext is written in Swahili?

41
 Monoalphabetic Substitution Cipher

• Shuffle the letters and map each plaintext letter to a

different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyz
Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
• What does a key look like?

42
 Monoalphabetic Cipher Security

• Instead of shifting alphabets by fixed amount as in Caesar

cipher, any random permutation is assigned to the alphabets.
This type of encryption is called monoalphabetic substitution
cipher.
• For example, A is replaced by Q, B by D, C by T etc. then it
will be comparatively stronger than Caesar cipher.
• The number of alternative keys possible now becomes 26!.
• Thus, Brute Force attack is impractical in this case.
• However, another attack is possible. Human languages are
redundant i.e. certain characters are used more frequently
than others. This fact can be exploited.

43
 Monoalphabetic Cipher Security
• In English ‘e’ is the most common letter followed by ‘t’, ‘r’, ‘n’,
’o’, ‘a’ etc.
• Letters like ‘q’, ‘x’, ‘j’ are less frequently used.
• Moreover, digrams like ‘th’ and trigrams like ‘the’ are also more
frequent.
• Tables of frequency of these letters exist. These can be used to
guess the plaintext if the plaintext is in uncompressed English
language.
• The most common two letter combinations are called as digrams.
e.g. th, in, er, re and an.
• The most common three letter combinations are called as trigrams.
e.g. the, ing, and, and ion
44
 Language Statistics and Cryptanalysis

• Human languages are not random.

• Letters are not equally frequently used.
• In English, E is by far the most common letter,
followed by T, R, N, I, O, A, S.
• Other letters like Z, J, K, Q, X are fairly rare.
• There are tables of single, double & triple letter
frequencies for various languages
45
English Letter Frequencies

46
 Statistics for double & triple letters

• In decreasing order of frequency

• Double letters:
th he an in er re es on, …

• Triple letters:
the and ent ion tio for nde, …
47
 Use in Cryptanalysis

• Key concept: monoalphabetic substitution does not

change relative letter frequencies

• To attack, we
– calculate letter frequencies for ciphertext
– compare this distribution against the known one

48
 Example Cryptanalysis
• Given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

• Count relative letter frequencies (see next page)

• Guess {P, Z} = {e, t}
• Of double letters, ZW has highest frequency, so guess ZW = th
and hence ZWP = the
• Proceeding with trial and error finally get:
it was disclosed yesterday that several informal but
direct contacts have been made with political
representatives of the viet cong in moscow

49
 Letter frequencies in ciphertext

P 13.33 H 5.83 F 3.33 B 1.67 C 0.00

Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00
S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00
U 8.33 V 4.17 T 2.50 I 0.83 N 0.00
O 7.50 X 4.17 A 1.67 J 0.83 R 0.00
M 6.67

50
 Playfair Cipher

• Not even the large number of keys in a

•
monoalphabetic cipher provides security.
• One approach to improving security is to
encrypt multiple letters at a time.
• The Playfair Cipher is the best known such
cipher.
• Invented by Charles Wheatstone in 1854, but
named after his friend Baron Playfair.
51
 Playfair Key Matrix

• Use a 5 x 5 matrix.
• Fill in letters of the key without duplicates.
• Fill the rest of matrix with other letters.
• E.g., key = MONARCHY.
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
52
 Encrypting and Decrypting

Plaintext is encrypted two letters at a time.

1. If a pair is a repeated letter, insert filler like 'X’.
2. If both letters fall in the same row, replace each
with the letter to its right (circularly).
3. If both letters fall in the same column, replace each
with the the letter below it (circularly).
4. Otherwise, each letter is replaced by the letter in
the same row but in the column of the other letter
of the pair.
53
 Playfair Cipher

s i/j m p l

e a b c d

f g h k n

o q r t u

v w x y z

Key: simple

Cryptography and Network Security 54

 Playfair Cipher

1.Use filler letter to separate repeated letters

Eg. good-- goxod
2.Encrypt two letters together
Same row– followed letters
ac--bd
Same column– letters under
qw--wi
Otherwise—square’s corner at same row
ar--bq

Cryptography and Network Security 55

https://www.youtube.com/watch?v=quKhvu2tPy8 56
 Security of Playfair Cipher
• Equivalent to a monoalphabetic cipher with an
alphabet of 26 x 26 = 676 characters.
• Security is much improved over the simple
monoalphabetic cipher.
• Was widely used for many decades
– eg. by US & British military in WW1 and early WW2
• Once thought to be unbreakable.
• Actually, it can be broken, because it still leaves
some structure of plaintext intact.

57
 Polyalphabetic Substitution Ciphers

• A sequence of monoalphabetic ciphers (M1, M2,

M3, ..., Mk) is used in turn to encrypt letters.
• A key determines which sequence of ciphers to
use.
• Each plaintext letter has multiple corresponding
ciphertext letters.
• This makes cryptanalysis harder since the letter
frequency distribution will be flatter.

58
 Vigenère Cipher

• Simplest polyalphabetic substitution cipher

• Consider the set of all Caesar ciphers:
{ Ca, Cb, Cc, ..., Cz }
• Key: e.g. security
• Encrypt each letter using Cs, Ce, Cc, Cu, Cr, Ci,
Ct, Cy in turn.
• Repeat from start after Cy.
• Decryption simply works in reverse.
59
 Example of Vigenère Cipher

Keyword: deceptive
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

60
61
 Security of Vigenère Ciphers

• There are multiple (how many?) ciphertext letters

corresponding to each plaintext letter.
• So, letter frequencies are obscured but not totally lost.
• To break Vigenere cipher:

1. Try to guess the key length. How?

2. If key length is N, the cipher consists of N Caesar ciphers.
Plaintext letters at positions k, N+k, 2N+k, 3N+k, etc., are
encoded by the same cipher.
3. Attack each individual cipher as before.
62
 Guessing the Key Length

• Main idea: Plaintext words separated by multiples of

the key length are encoded in the same way.
• In our example, if plaintext = “…thexxxxxxthe…” then
“the” will be encrypted to the same ciphertext words.
• So look at the ciphertext for repeated patterns.
• E.g. repeated “VTW” in the previous example
suggests a key length of 3 or 9:
ciphertext:
ZICVTWQNGRZGVTWAVZHCQYGLMGJ
• Of course, the repetition could be a random fluke.
63
 Rotor Cipher Machines

• Before modern ciphers, rotor machines were most common complex

ciphers in use.
• Widely used in WW2.
• Used a series of rotating cylinders.
• Implemented a polyalphabetic substitution cipher of period K.
• With 3 cylinders, K = 263 =17,576.
• With 5 cylinders, K = 265 =12 x 106.
• What is a key?
– If the adversary has a machine
– If the adversary doesn’t have a machine

64
65
 German secret setting sheets

Date
Which rotors to use (there were 10 rotors)
Ring setting
Plugboard setting
66
The Rotors

67
Enigma Rotor Machine

68
Enigma Rotor Machine

69
 Transposition Ciphers

• Also called permutation ciphers.

• Shuffle the plaintext, without altering the
actual letters used.
• Example: Row Transposition Ciphers

70
 Row Transposition Ciphers

• Plaintext is written row by row in a rectangle.

• Ciphertext: write out the columns in an order
specified by a key. a t t a c k p
Key: 3 4 2 1 5 6 7 o s t p o n e
d u n t i l t
Plaintext: wo a mx y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
71
 Product Ciphers

• Uses a sequence of substitutions and transpositions

– Harder to break than just substitutions or transpositions
• This is a bridge from classical to modern ciphers.

72
 Unconditional & Computational
Security
• A cipher is unconditionally secure if it is
secure no matter how much resources (time,
space) the attacker has.
• A cipher is computationally secure if the best
algorithm for breaking it will require so much
resources (e.g., 1000 years) that practically the
cryptosystem is secure.
• All the ciphers we have examined are not
unconditionally secure.
73
 An unconditionally Secure Cipher

Vernam’s one-time pad cipher

 Key = k1k2k3k4  (random, used one-time only)

 Plaintext = m1m2m3m4 

 Ciphertext = c1c2c3c4 
where ci mi  ki

 Can be proved to be unconditionally secure.

74
 Number Theory Basics

• Groups, Rings, Fields

• Modular Arithmetic
• Euclidean Theorem
• Extended Euclidean Theorem
• Galois Field
 Groups, Rings, Fields
Groups
Definition 6 A group (G, * ) consists of a set G with a binary
operation * on G satisfying the following three axioms.
(1) The group operation is associative. That is, a* (b* c) 
(a*b) * c for all a, b, c  G.
(2) There is an element 1  G, called the identity element, such
that a *1 1*a a for all a  G.
(3) For each a  G there exists an element a  1  G, called the
inverse of a, such that a * a  1 a  1 *a 1.
A group G is abelian (or commutative) if, furthermore,
(4) a*b b*a for all a, b  G.
Groups (Continued)
Example 20
(1) The set of integers Z with the operation of addition forms
a group. The identity element is 0 and the inverse of an integer
a is the integer  a.
(2) The set Z n , with the operation of addition modulo n, forms a
group. The set Z n with the operation of multiplication modulo n
is not a group, since not all elements have multiplicative inverses.
However, the set Z n* is a group under the operation of multiplication
modulo n, with identity element 1.
(3) The set {T , F }, with the operation of XOR, form a group, with
identity element F , T  1 T .
Rings
Definition 7 A ring ( R,,) consists of a set R with two binary
operations arbitrarily denoted  (addition) and (multiplication)
on R, satisfying the following axioms.
(1) (R, ) is an abelian group with identity denoted 0.
(2) The operation  is associative. That is, a (b c) (a b) c
for all a, b, c  R.
(3) There is a multiplicative identity denoted 1, with 1 0, such
that 1a a 1  a for all a  R.
(4) The operation is distributive over  . That is, a (b  c) 
(a b)  (a c) and (b  c) a (b a )  (c a ) for all a, b, c
 R.
The ring is a commutative ring if a b b a for all a, b  R.
Rings (Continued)
Example 21
(1) The set of integers Z with the usual operations
of addition and multiplication is a commutative
ring.
(2) The set Z n with addition and multiplication
performed modulo n is a commutative ring.
 Fields
Definition 8 A field is a commutative ring in which all non - zero
elements have multiplicative inverses.
Example 22
(1) The set of integers under the usual operations of addition
and multiplication is not a field, since the only non - zero integers
with multiplicative inverses are 1 and  1. However, the rational
numbers Q, the real numbers R , and the complex numbers C form
fields under the usual operations.
(2) Z n is a field (under the usual operations of addition and
multiplication modulo n) if and only if n is a prime number. If n
is prime.
# A algebra structure is finite if the number of elements is finite.
The number of elements is called its order.
 Modular Arithmetic
• Modular Arithmetic is one of the main tools provided by
number theory
– The quotient of n divided by m is  n / m  , where m and n are
positive integers
– The remainder of this division is called 'n mod m'
– So, the following holds:
n m  n / m   n mod m
where the first term is the quotient and the second the remainder.

81
 Modular Arithmetic

• Another way of putting this is:

– Given any positive integer n and any integer m, if we divide m by
n, we get an integer quotient, q, and integer remainder, r, that obey
the following relationship:
m qn  r (0 r  n; q  m / n  )
– The remainder, r, is often referred to as a residue of m modulo n,
and is the smallest non-negative integer that differs from m by a
multiple of n.
For example,
m 11; n 7; 11 17  4 r 4
m  11; n 7;  11 ( 2) 7  3 r 3

82
 Modular Arithmetic

• Two integers, a and b are said to be congruent (denoted by )

if:
a b (mod m)  a mod m b mod m

that is, "a is congruent to b modulo m"

• Alternatively, in arithmetic modulo m, a and b are equivalent if
their difference, (a - b), is a multiple of m; that is, m | (a - b)
• The set of integers Zm = {0,1, ... m - 1} form the complete set of
residues modulo m -- there are only m different integers, mod m
• The operation a mod m denotes the residue of a, such that the
residue is some integer from 0 to m - 1. This operation is known
as a modular reduction.
– Example: 10 2 (mod 4) because 4 | (10  2)
83
 Modular Arithmetic

• Congruence is an equivalence relation -- that is, it satisfies:

1) The reflexive law : a a
2) The symmetric law : a b  b a
3) The transitive law : a b c  a c

• Finding the smallest non-negative integer to which k is

congruent modulo n is called reducing k modulo n

84
 Modular Arithmetic

• We can also add and subtract congruent elements without

losing congruence:

a b and c d  a  c b  d (mod m)
 a  c b  d (mod m)
• Multiplication also works:

a b and c d  ac bd (mod m), for integers b, c

85
 Modular Arithmetic

• Modular arithmetic is like ordinary arithmetic. It is:

– commutative (for addition and multiplication)
a+b=b+a
– associative
(a + b) + c = a + (b + c)
and
– distributive
a(b + c) = (ab) + (ac)
and
(b + c)a = (ba) + (ca)

86
 Modular Arithmetic

• A very important property of modular arithmetic is:

– Reducing each intermediate result modulo m yields the same result
as doing the entire calculation, and then reducing the result to
modulo m:
(a  b) mod m ((a mod m)  (b mod m)) mod m
(a  b) mod m ((a mod m)  (b mod m)) mod m
(a b) mod m ((a mod m) (b mod m)) mod m
(a (b  c)) mod m ((( a b) mod m)  ((a c) mod m)) mod m

– This means that we can do modular arithmetic without worrying

about whether we will exceed some large arithmetic bound -- so such
calculations can be done on computers, even for large integer values.

87
 Modular Arithmetic
• Here are the possible values of (a + b) mod 8:

and (a·b) mod 8:

88
 Modular Arithmetic: Exponentiation

• Recall that exponentiation is defined:

a 0 e, the identity element
a n a  a    a (i.e.  applied n-1 times)
a -n (a' ) n , where a' is the inverse of a
– In ordinary arithmetic, exponentiation rapidly produces very large
numbers
– However, because of the important property of modular arithmetic
that intermediate results can be computed mod m, then is is possible
in mod m arithmetic to do powerful exponentiation without
producing very large numbers
– Remember, in cryptography, we'll be dealing with very large values
of m, so this is important.

89
 Modular Arithmetic: Exponentiation

• For example, instead of performing the calculation:

a n mod m (a  a  a  a    a )
we can instead perform fewer multiplications and use
intermediate modular reductions.
– Let's take a specific case of a8 mod n. We can calculate it:
a 8 mod m ((a 2 mod m) 2 mod m) 2 mod m
– Similarly:

a16 mod m (((a 2 mod m) 2 mod m) 2 mod m) 2 mod m

a 25 mod m (((((((a 2 mod m)  a ) mod m) 2 mod m) 2 mod m) 2 mod m)  a ) mod m

90
 Modular Arithmetic: Division

• So far, for mod m arithmetic, we have addition, subtraction (defined

through an additive inverse), and multiplication.
• What about division?
– Division is defined through a multiplicative inverse.
– In regular arithmetic:
• The multiplicative inverse of 5 is 1/5, because 5·1/5 = 1
– In modular arithmetic, things are not so easy:
Find x, where 5 x 1 (mod 7)
which is equivalent to finding an x and a k (both integers) such
that:
5x = 7k + 1
– The general problem is to find x such that:
1 (a x) mod m
or :
a  1  x (mod m) 91
 Modular Arithmetic: Multiplicative
Inverse
• Sometimes the modular multiplicative The mod 14 multiplication table.
inverse has a solution, and sometimes it
doesn't:
– The inverse of 5, mod 14, is 3
5*3 mod 14 = 1
– The inverse of 2, mod 14, doesn't exist.
• Look at the row for 2, at right;
• It does not contain a value 1

• It turns out that a  1  x (mod m) has a

solution iff a and n are relatively prime.
– For example, look at the rows to the right.
– The only rows that contain a 1 are for
values that are relatively prime to 14:
1, 3, 5, 9, 11, 13

92
 Modular Arithmetic: Multiplicative
Inverse
• One way of finding the inverse of a modulo m is to extend Euclid's
greatest common divisor algorithm:
– The Extended Euclidean Algorithm:
• While computing gcd(a, m), we can also find two integers u and v such that:
gcd(a, m) = ua + vm
• If a and m are relatively prime, then the gcd(a, m) = 1, and:
1 = ua + vm = ua (mod m) (performing a reduction mod m)
and then, multiplying both sides by a-1:
a-1 = ua·a-1 = u
• So, if gcd(a, m) = 1, then u is the multiplicative inverse of
a mod m;
otherwise, there is no multiplicative inverse

93
 Finite, or Galois Fields
• A finite field (also known as a Galois* Field) is a field with a
finite number of elements. Finite fields are critical to the
success of many cryptographic algorithms.
– The finite fields are completely known:
• It can be shown that the order of a finite field
(number of elements in the field) must be a power
of a prime, pn, where n is a positive integer.
• For a given prime, p, the finite field of order p, GF(p) is defined
as the set Zp of integers {0, 1, ... , p - 1}, together with the
arithmetic operations modulo p.

*Evariste Galois (1811-1832), French mathematician

94
 Modular Arithmetic

• Here are the values for (a + b) mod 2:

and (a·b) mod 2:

Notice anything?
(a  b) mod 2  a XOR b
(a b) mod 2  a AND b

Try a Java applet which demonstrates modular arithmetic

95
 Modular Arithmetic

• Another useful feature of arithmetic mod 2 is:

– In the field Z2, ({0, 1}), there is only one
inversion possible:
1/1 = 1
so division is the same operation as
multiplication!

• Not surprisingly, the field Z2 is an important tool to

analyze certain cryptographic algorithms by computer.
96
 Modular Arithmetic
• Cryptography uses modular arithmetic a great deal, because:
– Calculating discrete logarithms and square roots mod n can be hard
problems.
– It's easier to work with on computers, because it restricts the range of all
intermediate values and results
• For a k-bit modulus, n, the intermediate results of any
addition, subtraction, or multiplication will not exceed 2k
bits in length.
• We can perform modular exponentiation without generating
huge intermediate results
• Arithmetic operations, mod 2, are natural for computers,
because of the equivalence of addition with XOR, and
multiplication with AND, etc.

97
 Tutorial 2: Euclidean and Extended
Euclidean Theorem

• Implement Euclid's Algorithm

• Implement Extended Euclidean Algorithm
• Solve Modular Inverses
 Euclid’s Algorithm for GCD
Finding GCDs by comparing prime factorizations can be difficult when
the prime factors are not known! And, no fast alg. for factoring is known.
(except …)
On quantum computer!
Euclid discovered: For all ints. a, b

gcd(a, b) = gcd((a mod b), b).

How can this be useful? (assume a>b)

Sort a, b so that a>b, and then (given b>1) Euclid of

(a mod b) < a, so problem is simplified. Alexandria
325-265 B.C.
Theorem: Let a =bq+r, where a, b, q, and r are integers.
Then gcd(a,b) = gcd(b,r)

Suppose a and b are the natural numbers whose gcd has to be

determined. And suppose the remainder of the division of a by b is r.
Therefore a = qb + r where q is the quotient of the division.

Any common divisor of a and b is also a divisor of r. To see why this is

true, consider that r can be written as r = a − qb. Now, if there is a
common divisor d of a and b such that a = sd and b = td, then
r = (s−qt)d. Since all these numbers, including s−qt, are whole
numbers, it can be seen that r is divisible by d. (Also, by corollary
on slide 6.)

Similarly, any common divisor of b and r is also a divisor of a. Note that

a = qb +r. Hence a common divisor of b and r also divides a.

It follows that gcd(a,b) = gcd(b,r).

 Euclidean Algorithm

Lemma: Let a = bq + r, where a, b, q, and r are

integers. Then gcd(a, b) = gcd(b, r)

procedure procedure (a,b:positive integers)

x := a
y := b
while y  0 Arises when r = 0. So, y
begin divides x. But “x:=y” and
r := x mod y “y:=0”, so return x. Also
x := y
note that gcd(a,0) = a.
y := r
end { gcd(a, b) is x }

What about the “y=0” case?

101
Do we need a >= b? hmm…
 Euclid’s Algorithm Example
gcd(372,164) = gcd(164, 372 mod 164).
372 mod 164 = 372164 372/164 = 372164·2 = 372328 = 44
gcd(164,44) = gcd(44, 164 mod 44).
164 mod 44 = 16444 164/44 = 16444·3 = 164132 = 32
gcd(44,32) = gcd(32, 44 mod 32)
= gcd(32,12) = gcd(12, 32 mod 12)
= gcd(12,8) = gcd(8, 12 mod 8)
= gcd(8,4) = gcd(4, 8 mod 4)
= gcd(4,0) = 4.
So, we repeatedly swap the numbers. Largest first. “mod” reduces
them quickly!

Complexity? Guess…
 Basic Notions

Divisibility
Definition 1 Let a 0， and b be intergers.
We say that a divides b, if there is an
interger k such that b=ka. This is denoted
by a|b. Another way to express this is that
b is a multiple of a. If a does not divide b,
we write a | b.
Divisibility (Continued)
Propositio n 1 (1) For every a 0, a|0 and a|a.
Also, 1|b for every b.
(2) If a|b and b | c, then a | c.
(3) If a|b and a|c, then a | ( sb  tc ) for all
intergers s and t.
Proof. (1) It is immediate from the Definition 1.
(2) There exist k and l such that b ka and c lb.
Therefore, c kla. (3) Write b k1a and c k 2 a.
Then sb  tc a ( sk1  tk 2 ), so a|sb  tc.
 Prime Numbers and Theorems

• Prime Numbers
• Fermat’s Little Theorem
• Euler’s Totient Function
• Euler’s Theorem
Prime
Definition 2 A prime is a positive integer greater
than 1 that is divisble by no positive integers other
than 1 and itself. A positive integer greater than 1
that is not prime is called composite.

The primes less than 200:

2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53
59 61 67 71 73 79 83 89 97 101 103 107 109
113 127 131 137 139 149 151 157 163 167 1
73 179 181 191 193 197 199
Prime (Continued)
Proposition 2 There are infinitely many primes.
Proof. By way of contradiction, suppose that there were only
finitely many primes; call them p1 2, p2 3,  , pk . Then set
n  p1 p2  pk  1, and consider a prime p that divides n. There
must be at least one such prime p, since n  2.Clearly, p cannot
equal any of the p1 , p2 ,  , pk , since if it did, then p would divide
n  p1 p2  pk 1, which is impossible. Therefore, the prime p is
not among p1 , p2 ,  , pk , which contradicts our assumption that
these are the only primes.
Prime (Continued)

Theorem 2 (Prime Number Theorem) Let  ( x) be the number

of primes less than x. Then
x
 ( x)  ,
ln x
in the sense that the ratio  ( x) / ( x/ ln x)  1 as x  .
Proof . We omit the proof .
In various applications, we' ll need large primes, say of around 100
digits. We can estimate the number of 100 - digit primes as follows :
100 99 10100 1099 97
 (10 )   (10 )  100
 99
3 . 9 10 .
ln 10 ln 10
So there are certainly enough such primes.
Prime (Continued)
Theorem 3 (Fundamental theorem of arithmetic) Every positive
integer is a product of primes. This factorization into primes is
unique, up to reordering.
Proof. (Existence) This amounts to showing that every positive
integer n can be expressed as a product (possibly empty) of
primes. We may prove this by induction on n. Let n > 1, and
assume that every positive integer smaller than n can be expressed
as a product of primes. If n is a prime, then the statement is true,
as n is the product of one prime; otherwise, n is composite, and
so there exist 1<a<n,1<b<n, and n = ab; by the induction
hypothesis, both a and b can be expressed as a product of primes,
and so the same holds for n.
Greatest Common Divisor
Definition 3 The great common divisor of a and b is the
largest positive integer dividing both a and b and is
denoted by either gcd(a, b)or by (a, b). We say that a and b
are relatively prime if gcd(a, b) 1.
There are two standard ways for finding the gcd :
(1) If you can factor a and b into primes, i.e. a  p11 p2 2 
pn n and b  p11 p2 2  pn n . Take the smaller of the two and
get gcd(a, b)  p1min(1 , 1 ) p2min( 2 ,  2 )  pnmin( n ,  n ) . If a prime
does not appear in a factorization, then it cannot appear in
the gcd.
(2) The Euclidean algorithm.
Greatest Common Divisor (Continued)
Example 1 Compute gcd(482, 1180).
1180 2 482  216 482 2 216  50 216 4 50  16
50 3 16  2 16 8 2  0.
So, gcd(482, 1180) 2.
Notice how the numbers are shift :
remainder  divisor  dividend  ignore.
Using the example as a guideline, we can now give a more
formal description of the Euclidean algorithm. Without loss
of generality, suppose a  b. We have
a q1b  r1 b q2 r1  r2 r1 q3r2  r3 
rk  2 qk rk  1  rk rk  1 qk 1rk .
Hence gcd(a, b) rk . (Without factorization and fast speed)
Greatest Common Divisor (Continued)
Theorem 4 Let a and b be two integers, with at least one of a, b
nonzero, and let d gcd(a, b). Then there exist integers x, y such
that ax  by d . In particular, if a and b relatively prime, then there
exist integers x, y with ax  by 1.
Proof. We can show that if r j is a remainder obtianed during the
Euclidean algorithm, then there are integer x j , y j such that
r j ax j  by j .Taking x1 1 and y1  q1 , we have r1 ax1  by1.
Similar, r2 a ( q2 )  b(1  q1q2 ). Suppose we have ri axi  byi for
all i  j. Then
r j r j  2  q j r j  1 ax j  2  by j  2  q j (ax j  1  by j  1 ) a ( x j  2  q j x j  1 ) 
b( y j  2  q j y j  1 ).
Continuing, we obtain the result for all j , in particular for r j k gcd(a, b).
Greatest Common Divisor (Continued)
Corollary 1 If p is a prime and p | ab, then either p | a or p | b.
More generally, if a prime p | ab  z , then p must divide one
of the factors a, b,  , z.
Proof. Consider the case p|ab. If p divides a, we are done. Now
assume p | a. Since p is prime, gcd(a, p ) 1 or p. Since p | a,
gcd(a, p ) 1.Following Theorem 4, there exist integers x,y with
ax  py 1. Multiply by b to obtian abx  pby b. Therefore,
p | b.
For the case p | ab  z , if p | a, we' re done. Otherwise, p | b  z.
Either p | b or p divides the remianing factors. Continuing in this
way, we can get the conclusion.
Greatest Common Divisor (Continued)
Theorem 3 (Continued)
Proof. (Uniqueness) Suppose that n  p1 p2  ps 
q1q2  ql , where p1 , p2 ,  , ps and q1 , q2 ,  , ql are
primes, and p1  p2   ps and q1 q2  ql .
Since p1 | n, q1 | n, we know p1 | q j , q1 | pk . Since q j ,
pk are prime, we get p1 q j , q1  pk . Since p1 q1 ,
q1  p1. So p1 q1. Remove the same factor p1 to
get p2  ps q2  ql . Continuing in this way, we
can obtain s l , ps ql .
 Solving ax+by=d=gcd(a,b)
Based on the proof procedure of the Theorem 4, we get the following
sequences :
x1 1, x2  q2 , x j  q j x j  1  x j  2
y1  q1 , y2 1  q1q2 , y j  q j y j  y j  2
Then axk  byk gcd(a, b).
In the Example 1, x1 1, x2  2, x3  2 x2  x1 5, x4  4 x3  x2
 22, x5  3 x4  x3 71. Similarly, y5  29. An easy calculation
shows that
482 71  1180 ( 29) 2 gcd(482, 1180 ).
The preceding mehtod is oftem called the extended Euclidean algorithm.
 Congruence
Definition 4 Let a, b, n be integers with n 0. We say that
a b(mod n)
(read : a is congruent to b mod n)if a  b is a multiple
(positive or negative ) of n.
This can be rewritten as a b  nk for some integer k (positive
or negative).
Example 2
32 7（mod 5),
 12 37(mod 7),
17 17(mod 13).
Propostion 3 Let a, b, c, n be integers with n 0,
(1) a 0(mod n) if and only if n | a.
(2) a a (mod n).
(3) b a (mod n) if and only if a b(mod n).
(4) If a b(mod n), b c(mod n), then a c(mod n).
Proof. We omit the proof.
# Congruence behaves very much like equality.
 Addition, Subtraction, Multiplication
Propositio n 4 Let a, b, c, d , n be integers with n 0, and suppose
a b(mod n), c d (mod n). Then
a  c b  d (mod n), a  c b  d (mod n), ac bd (mod n).
Proof. Write a b  nk , c d  nl , for integers k , l ,. Then, a  c 
b  d  n(k  l ), so a  c b  d (mod n). The proof that a  c 
b  d (mod n) is similar. For multiplication, we have ac bd 
n(dk  bl  nkl ), so ac bd (mod n).
# The proposition says you can perform the usual arithmetic
operations of addition, subtraction, and multiplication with
congruences.
Addition, Subtraction, Multiplication (Continued)

Example 3 Here is an example of how we can do algebra

mod n. Consider the following problem x  7 3(mod17).
Solution : x 3  7  4 13(mod17).
# There is nothing wrong with negative answers, but usually
we write the final answer as an integer from 0 to n  1.
Division
Proposition 5 Let a, b, c, d , n be integers with n 0
and with gcd(a, n) 1. If ab ac(mod n), then b 
c(mod n), in other words, if a, n are relatively prime,
we can divide both sides of the congruence by a.
Proof. Since gcd(a, n) 1, there exist x, y such that
ax  ny 1. Multiply by b  c :
(ab  ac) x  n(b  c) y b  c.
Since n | ab  ac, we can get n | b  c. This means that
b c(mod n).
Division (Continued)
Example 4 Solve : 2 x  7 3(mod17).
Solution : 2 x 3  7  4. Since gcd(2,17) 1, x  2
15(mod 17).
Example 5 Solve : 5 x  6 13(mod11).
5 x 7, what does 7/5 mean (mod11)? Note that
5 x 7 18 29 40(mod11). So x 8(mod 11). That
is ,8 acts like 7/5.
Division (Continued)
Proposition 6 Suppose gcd(a, n) 1. Let s, t be integers
such that as  nt 1. Then as 1(mod n), so s is the
multiplicative inverse for a (mod n), witten as a  1 (mod n).
s, t can be found using the extended Euclidean algorithm.
Proof. Since as  1  nt , we see that as  1 is a multiple
of n.
Example 6 Solve 11111 x 4(mod12345).
Solution : Using the extended Euclidean algorithm,
we can gcd(11111 ,12345) 1, 11111 2471  12345 y 1.
It means that 11111 2471 1(mod12345). Hence,
x 24714 9884(mod12345).
Division (Continued)
Solve congruences of the form ax b(mod n) when gcd(a, n) 
d  1. The procdure is as follows :
(1) Ifd | b, there is no solution.
(2) Assume d | b. Consider the new congruence
(a / d ) x b / d (mod n / d ).
Note that a / d , b / d , n / d are integers and gcd(a / d , n / d ) 1.
Solve this congruence by the above procedure to obtian a
solution x0 .
(3) The solutions of the original congruence ax b(mod n) are
x0 (mod n), x0  (n / d )(mod n), x0  2(n / d )(mod n), ,
x0  (d  1)(n / d )(mod n).
Division (Continued)
Example 7 Solve 12 x 21(mod 39).
Solution : gcd(12, 39) 3, which diviedes 21. Divide by 3 to obtian
the new congruence 4 x 7(mod 39). A solution is x0 5. The
solutions to the original congruence are x 5, 18, 31(mod 39).
Working with fractions
(1)In many situations , it will be convenient to work with fractions
mod n. For example, 1 / 2(mod 12345) is easier to write than
6173(mod 12345). The general rule is that a fraction b/a can be used
mod n if gcd( a, n) 1. b / a(mod n) really means a  1b(mod n).
(2)The symbol 1 / 2 is simply a symbol with exactly one propery : if
multiply 1 / 2 by 2, you get 1. So, 1 / 2(mod 12345) and 6713(mod 12345)
can be interchangeable.
(3) We can' t use fractions with arbitrary denominato rs. For example,
1 / 6(mod 6),1 / 2(mod 6).In general, if gcd( a, n)  1, it is not allowed.
Fermat’s Little Theorem and Euler’s
Theorem
Theorem 7 (Fermat' s Little Theorem) If p is a prime and
p | a, then
a p  1 1(mod p ).
Proof. Let S {1,2,3,  , p  1}. Consider the map S  S :
 ( x) ax(mod p ).Clearly,  ( x)  0(mod p ). Now, suppose
x  y  S . We have ax   ay (mod p ). Therefore,  (1),  (2),  ,
 ( p  1) are distinct elements of S . It follows that
1 2 3 ( p  1)  (1) (2)  ( p  1) (a 1) (a 2) (a 3)
 (a ( p  1)) a p  1 (1 2 3 ( p  1))(mod p ).
Since gcd( j , p ) 1 for j  S , we can divide this congruence
by 1,2,3,  , p  1. What remains is 1 a p  1 (mod p ).
 Fermat’s Little Theorem and Euler’s
Theorem (Continued)
Example 11 210 (mod11),253 (mod11).
210 1024 1(mod11）. From this, we can evaluate 253 (210 )5 23
23 8(mod11). In other words, from 53 3(mod 10), we deduce
253 23 (mod11).
Search for prime numbers using the Fermat's little Theorem
Choose a starting point n0 and successively test each odd number n
n0 to see whether 2 n  1 ? 1(mod n). If n fails the test, discard it and
proceed to the next n. When passes the test, use more sophisticated
techniques.
# The advantage is that this procedure is much faster and eliminate many
numbers quickly. However, there exist the exceptions such as 561 
3 11 17, 2560 1(mod 561).
Fermat’s Little Theorem and Euler’s Theorem
(Continued)
Definition 5 Let  (n) be the number of integers 1 a n such
that gcd(a, n) 1. Often  is called Euler' s  - function.
Proposition 7 If n  p1a1 p2a2  pkak is the prime power factorization,
k  1 a  1 a

then  (n) n  1  
 , in particular,  ( p )  1   p .
i 1  pi   p
Proof. We omit the proof.
Example 12  (10)  (2 5) 10(1  1 / 2)(1  1 / 5) 4,
 (120)  (23 3 5) 120(1  1 / 2)(1  1 / 3)(1  1 / 5) 32.
 Fermat’s Little Theorem and Euler’s
Theorem (Continued)
Theorem 7 (Euler ' s Theorem) If gcd(a, n) 1, then
a ( n ) 1(mod n).
Proof. The proof of this theorem is almost the same
as the one given for Fermat' s theorem. Let S be the
set of integers 1  x n with gcd( x, n) 1. Let S  S
be defined by  ( x) ax(mod n). Clearly, the numbers
 ( x) are the numbers in written in S some order.
Therefore,
 (n)
 
x   ( x ) a  x(mod n),
xS xS xS

Dividing out the factors, we obtain a ( n ) 1(mod n).

 Fermat’s Little Theorem and Euler’s
Theorem (Continued)
Example 13 What are the last three digits of 7803 ?
Solution : Knowing the last three digits is the same as
working modulo 1000. Since  (1000) 1000(1  1 / 2)
(1  1 / 5) 400, we have 7803 (7 400 ) 2 7 3 7 3 
343(mod 1000).
43210
Example 14 Compute 2 (mod 101).
Solution : From Fermat' s theorem, we know that 2100
1(mod 101). Therefore,
43210 100 432 10
2 (2 ) 2 1024 14(mod 101).
Fermat’s Little Theorem and Euler’s Theorem
(Continued)

Basic Principle 1 Let a, n, x, y be integers with n 1,

gcd(a, n) 1. If x  y (mod  (n)), then a x a y (mod n).
In other words, if you want to work modulo n, you
should work modulo  (n) in the exponent.
Proof. Write x  y   (n)k . Then
a x a y  ( n ) k a y (a ( n ) ) k a y (1) k a y (mod n).
# Work with the exponent using modulo  (n) not n.
 Tutorial 3: Chinese Remainder
Theorem

• Write Code to Implement CRT

• Solve Practical Examples
 Chinese Remainder Theorem

• Introduction and Applications

• Solve Systems of Congruences
• Practical Implementation
 The Chinese Remainder Theorem
 x 4(mod 7)
x 25(mod 42)  
 x 1(mod 6).
The Chinese remainder theorem shows that this process can be
reversed.
Theorem 5 (Chinese Remainder Theorem) Suppose gcd(m, n) 1.
Given a and b, there exists exactly one solution x(mod mn) to the
simultaneous congruences
x a (mod m), x b(mod n).
Proof. There exist integers s, t such that ms  nt 1. Let x bms  ant.
Then x ant a (mod m), x bms b(mod n). Suppose x1 is another
solution. Then m | x  x1 , n | x  x1 , so x  x1 mk nl , x  x1 
( x  x1 )(ms  nt ) mn(ls  kt ), i.e. x  x1 (mod mn).
 The Chinese Remainder Theorem (Continued)
Example 8 Solve x 3(mod 7), x 5(mod15).
Solution : Since 80(mod 7) 3(mod 7), 80(mod15) 5(mod15),
x 80(mod105). The theorem guarantees that such a solution
exists and is uniquely determined by mod mn.
Two methods to find the solution :
(1)To list the numbers congruent to b(mod n) until you find
one that is congruent to a (mod m). For example, the numbers
congruent to 5(mod15) are 5, 20, 35, 50, 65, 80. By mod7, there
are 5, 6, 0, 1, 2, 3.
(2)The numbers congruent to b(mod n) are of the form b  nk ,
so we need to solve b  nk a (mod m). Obtain k (a  b)n  1 (mod m),
Substituti ng k back into b  nk , then reducing mod nm, gives the
answer.
The Chinese Remainder Theorem (Continued)
Example 9 Solve x 7(mod12345), x 3(mod11111 ).
Solution : 11111  1 (mod12345) 2471.Therefore, k
(7  3) 2471 9884(mod12345).This yields x 
3  11111 9884 109821127(mod11111 12345).
# If you start with a congruence modulo a composite number
n, you can break it into simultaneo us congruences modulo
each prime power factor of n, then recombine the resulting
information to obtian an answer mod n. The advatantage is
that often it is easier to analyze congruence modulo primes or
modulo prime powers than to work modulo composite
numbers.
The Chinese Remainder Theorem (Continued)
Example 10 Solve x 2 1(mod 35)
Solution : x 2 1(mod 35) 
 x 2 1(mod 5)  x 1(mod 5)
 2
 x 1(mod 7)  x 1(mod 7).
We can put together in 4 ways :
x 1(mod 5), x 1(mod 7)  x 1(mod 35),
x 1(mod 5), x  1(mod 7)  x 6(mod 35),
x  1(mod 5), x 1(mod 7)  x 29(mod 35),
x  1(mod 5), x  1(mod 7)  x 34(mod 35).
The Chinese Remainder Theorem (Continued)
Theorem 6 (CRT - General Form) Let m1 , m2 ,  , mk be
integers with gcd(mi , m j ) 1 whenever 1 i  j k . Given
integers a1 , a2 ,  , ak , there exists exactly one solution
x(mod m1m2  mk ) to the simultaneous congruences
x a1 (mod m1 ), x a2 (mod m2 ), , xk ak (mod mk ).
Proof. We can omit the proof.
Therefore, in general, if n  p1 p2  pr is the product of r
2 r
distinct odd primes, then x 1(mod n) has 2 solutions.
 Advanced Topics in Cryptography

• Primitive Roots
• Discrete Logarithms
• Elliptic Curve Arithmetic
 Primitive Root
Consider the powers of 3(mod 7) :
31 3, 32 2, 33 6, 34 4, 35 5, 36 1.
Note that we obtain all the nonzero congruence classes
modulo 7 as powers of 3. This means that 3 is a primitive root
modulo 7. But, 33 1(mod13), so only 1, 3, 9 are powers of 3.
Therefore, 3 is not a primitive root mod 13.
In gereral, when p is a prime, a primitive root modulo p is a
number whose powers yield every nonzero class modulo p.
# There are  ( p  1) primitive root modulo p.
Primitive Root (Continued)
Propositio n 8 Let g be a primitive root for the prime p.
(1) If n is an integer , then g n 1(mod p ) if and only if n 0(mod p  1).
(2) If j and k are integers, then g j  g k (mod p ) if and only if j k (mod p  1).
Proof. (1) If n 0(mod p  1), then n ( p  1)m for some m. Therefore,
g n ( g m ) p  1 1(mod p )
by Fermat' s theorem. Suppose g n 1(mod p ). Write
n ( p  1)q  r , with 0 r  p  1.
We have
1  g n ( g q ) p  1 g r  g r  g r (mod p ).
Suppose r  0. The powers of g (mod p ) yield g (mod p ), g 2 (mod p ), , g r  1 (mod p ).
Since r  p  1, this contradict s the assumption that g is a primitive root. So r 0.
(2) Assume that j  k . Suppose that g j  g k (mod p ). Dividing both sides by g k
yields g j  k 1(mod p ). By (1), j  k 0(mod p  1), so j k (mod p  1). If j 
k (mod p  1), then j  k 0(mod p  1), so g j  k 1(mod p ) by (1), i.e. g j  g k (mod p ).
Discrete Logarithm

142
Why is the Discrete Logarithm Hard?

143
Example 1: Small Numbers

144
Example 2: Larger Numbers

145
 Elliptic curve arithmetic
• Elliptic curve arithmetic is the foundation of elliptic curve
cryptography (ECC), a widely used cryptographic approach due
to its strength and efficiency. It involves operations performed
on points that lie on an elliptic curve, a mathematical object
defined by an equation of the form:

146
Point Addition

147
Point Addition

148